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ABSTRACT 



A system for screening data packets transmitted between a 
network to be protected, such as a private network, and 
another network, such as a public network. The system 
includes a dedicated computer with multiple (specifically, 
three) types of network ports: one connected to each of the 
private and public networks, and one connected to a proxy 
network that contains a predetermined number of the hosts 
and services, some of which may mirror a subset of those 
found on the private network. The proxy network is isolated 
from the private network, so it cannot be used as a jumping 
off point for intruders. Packets received at the screen (either 
into or out of a host in the private network) are filtered based 
upon their contents, state information and other criteria, 
including their source and destination, and actions are taken 
by the screen depending upon the determination of the 
filtering phase. The packets may be allowed through, with or 
without alteration of their data, IP (internet protocol) 
address, etc., or they may be dropped, with or without an 
error message generated to the sender of the packet. Packets 
may be sent with or without alteration to a host on the proxy 
network that performs some or all of the functions of the 
intended destination host as specified by a given packet. The 
passing through of packets without the addition of any 
network address pertaining to the screening system allows 
the screening system to function without being identifiable 
by such an address, and therefore it is more difficult to target 
as an IP entity, e.g. by intruders. 

3 Claims, 7 Drawing Sheets 
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SYSTEM FOR PACKET FILTERING OF 
DATA PACKET AT A COMPUTER 
NETWORK INTERFACE 

This application is a divisional application of U.S. patent 
application Ser. No. 08/444,351, filed May 18, 1995, now 
U.S. Pat. No. 5,802,320. 

BACKGROUND OF THE INVENTION 

The present invention relates to screening of data packets 
sent from one computer network to another. There are 
numerous ways for a user on a public network to interact 
with a host machine on a private network, such as in a telnet 
session, an ftp (file transfer protocol) session, by email 
(electronic mail), and so on. In addition, computers on a 
given target network may be requested to carry out certain 
operations by users outside the network, besides directly 
connecting the requester's machine. 

A conventional internetwork 10 is shown in FIG. 1, 
including a private network 20, a public network 30, and 
another private network 40. If the private networks 20 and 
40 are not provided with firewalls, they are quite vulnerable 
to intruders. 

FIG. 3 shows an internetwork 110 where a private net- 
work 120 can communicate with another private network 
140 via a router or bridge 120, which is controlled by logic 
(such as a circuit, or typically a processor with associated 
memory) 150 which controls network interfaces 160 and 
170. When a data packet arrives from network 140 
addressed to a host and specifying a port on network 120, it 
is mapped to that host and port by unit 180, and transmitted 
via interface 160 to the appropriate destination on the 
network 120. FIG. 3 is also not provided with any security, 
and hence is available for targeting. 

Computer firewalls have therefore been developed, as in 
the system 50 shown in FIG. 2, where private networks 60 
and 100 can communicate with one another via public 
network 80, but are provided with firewalls 70 and 90, 
respectively. A problem with conventional computer fire- 
walls (and routers or bridges such as bridge 130 in FIG. 3) 
in use today is that they participate in IP (Internet Protocol) 
transactions, and in doing so generate information identify- 
ing them as IP machines, which makes them visible for 
targeting by intruders. For a detailed discussion of this and 
other types of problems with firewalls, see, e.g. the reference 
Firewalls and Internet Security by Cheswick & Bellovin 
(Addison Wesley 1 994), and Internet Firewalls and Network 
Security by Siyan & Hare (New Riders Publishing 1995), 
which are incorporated herein by reference. 

A firewall and packet filtering system should ideally be 
invisible to intruders so as to help minimize the number of 
ways in which it can be targeted, while nonetheless filling 
functions that are appropriate. 

Current network security solutions often involve modifi- 
cations to the networks in addition to the provision of 
firewalls, which can be complicated and expensive. A sys- 
tem is needed that can be connected to a network substan- 
tially without altering it, but providing security against 
breaches from outside the protected network. 

Packet filtering systems are used today to provide security 
for networks, but conventionally acts as routers, having one 
port or network interface coupled to the protected network 
and another port to another network or the Internet. As 
routers, such systems are responsive to IP commands, aud in 
particular may respond to data packets by using their IP 
address. This allows intruders to target them for character- 
ization and attack. 
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The same type of targeting may be accomplished when 
addresses within a protected network are known to users 
outside the network. It would therefore by advantageous to 
provide a system that can respond to data packets from 
5 outside a network without revealing IP address information 
about either the filtering system or about hosts within the 
network. 

SUMMARY OF THE INVENTION 

10 The present invention is directed to a screening system 
that acts as both a firewall in the conventional sense and a 
signatureless packet filtering system. A screen is positioned 
on the network connection between, for example, a public 
network and a private network that is to be protected from 

15 targeting for attack. A port or network interface is provided 
for each of the two networks, and one or more additional 
ports are provided to one or more proxy networks. 

The screening system includes a packet filtering sub- 
system or module, which inspects each incoming packet and 
sends it to an engine, which determines, based upon the 
packet inspector and other information, what actions should 
be taken on the packet. The packet is passed to an actions 
subsystem or module, which executes the appropriate 
actions, 

25 

If the packet's intended destination is a host machine on 
the private networks, it may instead be sent aside to a 
preconfigured host machine on the proxy network, which 
executes appropriate operations that the actual host would 

30 execute, or different operations as desired. The proxy host 
generates responses using the IP address of the actual host, 
so the existence of the proxy network is not detectable. The 
screening system is not a router and hence does not have its 
own IP address, so it too cannot be detected in this manner, 

35 and is not subject to such operations as trace_route, ping, 
finger, and so on. 

The screening system requires no modification to the 
private or public networks; instead, it can be connected 
in-line on the network connection, a proxy network can be 

40 set up with as many hosts as desired, and security is thereby 
provided without reconfiguring the private network or alter- 
ing the network software. 

The screening system can be preconfigured to carry out a 
wide range of other actions on the packets, all subject to 

45 predetermined criteria, such as dropping them with or with- 
out an error message, logging them, altering them or their 
headers, and so on. Each of these and other actions can be 
carried out while maintaining the anonymity of the screen- 
ing system. 

50 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram of a system connecting two 
computer networks via a public network. 

FIG. 2 is a block diagram of a system connecting two 
55 computer networks via a public network, using intervening 
firewalls. 

FIG. 3 shows a conventional system including a bridge 
between two computer networks. 
60 FIG. 4 is a block diagram of an exemplary connection 
from a private network and a public network to another 
private network, via firewalls. 

FIG. 5 is a block diagram of computer internetwork 
including a packet screening system according to the inven- 
65 lion. 

FIG. 6 is a functional block diagram of a packet screening 
system of the invention on an internetwork. 
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FIG. 7 is a block diagram of an alternative embodiment of It is equally possible to build a system of the invention 

the packet screening system of the invention. without the proxy network, where N-M-l, and where data 

FIG. 8 is a block diagram of hardware for implementing packets would be passed through without alteration of the IP 

the invention. address in one or both directions, or with some alteration but 

FIG. 8A is a diagram of another embodiment of the 5 without adding any IP or other network address of the 

invention. screening system itself. Such a system is described below in 

FIG. 9 is functional block diagram of the invention. connection with FIG. 8A. 

FIGS. 10-11 are flow charts of the method of packet FIG. 6 shows greater detail of the screen 340, which may 

screening according to a preferred embodiment of the inven- be a uni- or multiprocessor based system; in this 

tion. 10 embodiment, a single processor 390 is shown, coupled to 

DESCRIPTION OF THE PREFERRED one or more conventional memories (for example, RAM, 

EMBODIMENTS ROM, EPROM, disk storage, etc.) 400, which store(s) the 

The Hardware of the Invention instructions necessary to execute the operations carried out 

FIG. 4 shows an internetwork system appropriate for by the invention. The network interfaces 410-425 are con- 
implementation of the present invention. A public network 15 trolled by the processor 390 in conventional fashion. 
200 (or network of networks, such as the Internet) can The private network will typically include many different 
communicate with a private network or internetwork 210, hosts: examples are a mail host 360; an ftp (file transfer 
which includes by way of example an engineering domain protocol) host 370 for governing ftp connections; and other 
network 220 and a corporate domain network 230. A con- hosts 380 for other services, such as a WWW (World-Wide 
ventional firewall 240 is positioned as shown between the 20 Web) server, hosts for rlogin (remote login) and rshell, and 
network 220 and the networks 230 and 200. Note that the so on. 

firewall may, as illustrated, be positioned between a given The proxy network 430 includes proxy (or virtual) hosts 

private network (220) and a public network (200), and also 435, which preferably are separate computer systems. In the 

between the private network 200 and other networks (such preferred embodiment, the proxy network 430 includes a 

as 210) which on its own private internetwork. The net- 25 virtual host mirroring (or acting as proxy for) each of a 

working hardware and software can be any suitable conven- subset (or all) of the hosts found on the private network 330, 

tional networking system, such as Ethernet. in a manner to be described below. 

Firewall 240 may be configured as a single machine or as Such virtual hosts in the embodiment shown include a 

separate machines, one handling the incoming data packets proxy mail server 440, a proxy ftp server 450, and other 

and the other handling the outgoing data packets from 30 virtual hosts 460, with a virtual (proxy) host for each actual 

network 220, as desired by the implementer. In addition, host desired to be duplicated — which may include some or 

another firewall specifically for the corporate domain net- all of the actual hosts. The proxy hosts are "virtual" in the 

work 230 would normally be used, but is not illustrated irj sense that they are not the actual targeted hosts 360-380, but 

this figure. rather mimic the behavior of the those hosts; but they do 

Any data packets transmitted from either of the networks 35 represent actual hardware and/or software in the proxy 

200 or 230 travel via connections 300 or 280 to the firewall network. 

240, which may be conventional except in the respects noted Hosts may also be included that are unique to the proxy 

below. Firewall 240 passes allowed data packets via con- network. For instance, the proxy network 430 may include 

nection 250 to the network 220. a WWW server 445 which is unique to the proxy server, i.e. 

Likewise, data packets from network 220 addressed to 40 is not merely a mirror or proxy for a WWW server within the 

destinations within network 200 or network 230 are trans- network 330. In this case, when a user from network 350 

mitted over connection 270 to the firewall 240, which passes requests a connection to http://www.<private. networks 

packets as requested, subject to its security provisions, via com, he/she will be connected to WWW server 445. Other 

connection 310 (if to network 200) or connection 290 (if to servers 455 unique to the proxy network 430 may also be 

network 230). Connections 250 and 270-310 may all be 45 provided. 

conventional network connections, for example cables, fiber A proxy network may thus include proxy hosts represent - 

optics, or the like. ing actual hosts, and/or proxy hosts with unique servers, in 

FIG. 5 is a logical block diagram of a packet screening any combination (zero to several of each). Whichever con- 
system 340 of the invention that can be implemented in an figuration is adopted, the private network 330 and the proxy 
internetwork system 320 — which may alternatively be an 50 network 430 together form a single logical or apparent 
internetwork such as that shown in FIG. 4; thus, firewall 240 network 345, i.e. a single apparent domain from the point of 
may be replaced by the screening system 340, which is view of outsiders, such as users on the public network 350, 
configured to handle all of the conventional firewall func- so that when a user attempts to access a service or host of the 
tions plus the screening functions described below. private network, the request may be shunted aside to the 

In FIG. 5, a single private network 330 is shown coupled 55 proxy network to either a mirroring proxy host or a unique 

via a standard network interface 410 to the packet screening proxy host, without any indication being given to the user 

system (or simply "screen") 340. In addition, public network that this has occurred. (Note that "proxy host" may mean 

350 is coupled to the screen 340 via another standard that it is a proxy for an actual host, or may mean that it is 

network interface 425. A third network, proxy network 430, a host on the proxy network, albeit a unique host.) 

is coupled to the screen 340 via network interface 420. 60 FIG. 7 shows an alternate embodiment of the system of 

Using firewall connections such as those in FIGS. 4 and the invention, namely a system 325 wherein the proxy 

5, any number N of private networks (which in this case may network 430 is implemented entirely in program instructions 

be considered to include the proxy network) may be coupled stored in the memory 400 of the screen 340, or as additional 

via multiple screens 340 of the invention to one another and processor(s) and memory(-ies) controlled by program 

to any desired number M of public networks. Thus, an NxM 65 instructions stored in one or more of the memories. In this 

screening system may be formed; in the example of FIG. 5, case, the screen 340 and proxy network 430 shown in FIG. 

N-2 and M-l. See also the discussion below of FIG. 8. 6 constitute separate logical entities, but not separate physi- 
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cal entities (except to the extent that the instructions, data, (whether altered or not) the sole host identifiers or addresses 

commands, signals, etc. are themselves separate physical associated with the packet. In an alternative to this 

entities). That is, the screen 340 and proxy network may be embodiment, the screening system can substitute another 

a single unit. In this embodiment, the proxy hosts 360-380 network address for either the source address or the desti- 

are emulated by the program instructions, so that all of the 5 nation address (or both), where the newly substituted 

behavior of any of the actual hosts may be mimicked by a address is either bogus or belongs to a host other than the 

virtual proxy host module. The remainder of the present screening system. In either case, no network address per- 

disclosure is with reference to FIGS. 5-6, but should be taining to the screening system attaches to a data packet, 

understood as applicable as well to the embodiment of FIG. As indicated above, the screening system preferably does 

7. 10 not even have an IP or other network address, and while it 

FIG. 8 is a block diagram of the hardware for implement- can interpret IP protocol, it is configured not to respond to 

ing the system of the invention, showing additional detail of IP requests. Thus, the screening system avoids detection and 

the screen 340 over that shown in FIGS. 5-6. Like- hence targeting by intruders. 

numbered elements in the drawings are alike; so it will be The operation of the system of FIG. 5-6 will be discussed 

seen that FIG. 8 additionally shows conventional disk stor- 15 in detail below in connection with FIGS. 9-11, but should be 

age 500, and I/O (input/output) devices 510 such as a smart understood as to apply to the other embodiments of the 

card, keyboard, mouse, monitor, and/or other standard I/O invention. Each of the operations, actions or functions to be 

devices are provided, as well as other desired conventional executed by the system of the invention, as discussed above 

storage or memory 520. The instructions or program mod- and hereinafter, may be implemented as program instruc- 

ules stored in memory 400 control the operation of the 20 tions or modules, hardware (e.g. ASICs or other circuitry, 

screen 340. ROMs, etc.), or some combination thereof. 

In one embodiment, the screen does not provide conven- General Handling of Data Packets 

tional user-level access, e.g. does not include the standard In FIG. 6, when a data packet arrives from the public 

keyboard and monitor. This is a security feature to prevent network 350 addressed to one of the hosts or servers 

meddling with the screen's configuration. In such an is 360-380, it is intercepted by the screen 340. Such a packet 

embodiment the screen is administered remotely through a typically will include a source address, a destination address, 

dedicated network port with a secret IP (or other protocol) a requested operation and/or service, and other information, 

address that responds only to communications that are such as a message (if it's email), data to be operated on, and 

authenticated, encrypted and conforming to a dedicated, so on. 

special-purpose administration protocol. Such a protocol, 30 The screen 340 includes instructions stored in memory 

and the encryption and authentication schemes used, may be 400 governing its control of actions to be taken on the 

developed and/or selected by the screen administrator. incoming (and outgoing) data packets. These instructions 

As shown in FIG. 8, the screen 340 may include, instead include a predetermined set of criteria based upon the 

of a single port 425 (as in FIG. 5) connected to a public aforementioned contents of the data packets (source and 

network, multiple ports 427 may be provided and are 35 destination addresses, type of service, or other information 

connected to multiple public networks, respectively, and obtainable from the data packets), and based upon other 

may include one or more additional ports 415 connected to information, such as: the time of day the packet was sent or 

other private network(s) 335. For instance, a private network is received by the screen; the state of the connection between 

335 may be an engineering domain eng.sun.com in a the public and private networks (or the state of the connec- 

company, while the private network 335 may be a corporate 40 tion to a particular host or service in the private network); 

domain corp.sun.com within the same company. The eng- and more obliquely obtainable information, such as whether 

.sunxomandcorp.sun.com domains may communicate with the source address emanates from an expected (inter) 

one another (if desired, through an additional screen of the network location. This may be done by determining whether 

invention or a conventional firewall, not shown) via con- the source host is in the expected domain, or it may be done 

nection 337, and form a single private internetwork 355, 45 by determining whether the packet arrives at a network 

while both these domains are protected against intrusions interface expected for that packet. For instance, a packet 

from public network (s) 350 by the screening system 340, whose source address is identified as a host on private 

The proxy network 430 in this embodiment includes proxies network 330 should not arrive at network interface 425 (in 

for both the eng.sun.com and corp.sun.com domains. FIG, 6) for the public network 350; if it does, this is an 

Thus, although in the remainder of the present discussion 50 indication that an intruder may be attempting to breach the 

it is assumed that the communications in question are private network by masquerading as a trusted host. In this 

between a single public network 350 and a single private case, the screen 340 should drop the packet without reply, 

network 330, the features of the invention may equally well Such screening criteria can be implemented by inspecting 

be applied to multiple private networks 330, 335 connected the contents of the data packets, by reference to external data 

via the screen 340 to multiple public networks 350. 55 (such as connection status and time of day), and by reference 

In the system 530 shown in FIG. 8A, a private network to pre-defined tables or other information useful to imple- 

540 is provided with a screening system 540 according to the menl the criteria and stored in the memory 400. For instance, 

invention, but without the proxy network. In this and the a table may be provided of all source addresses allowed to 

other embodiments, data packets are transmitted in either communicate with the network 330 correlated with the types 

direction without alteration of their IP addresses, or alter- 60 of operations and services they are allowed to use, the times 

natively with some alteration but without adding any IP or of day they are allowed to be connected or to pass packets, 

other network address of the screening system itself. The the expected locations for the sources (since a connection 

decision to alter addresses or not call be made on a packet- from an unexpected source may indicate a security 

by-packet basis according to the predetermined criteria. problem), the number of times a source is allowed to 

In the system of the invention (including any of the 65 commence a transaction, the total amount of time (e.g. per 

embodiments of 5-9), the source and destination addresses day or month) that a particular source is allowed to use 

that are provided with the packet would thus remain services of the network 330, and so on. 
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The application of the screening criteria lead the screen to be stored for some time, but in this case the screen can 

340 to take one or several pre-defined actions or each data determine the entire history of a series of transactions and 

packet; these actions are discussed below. take appropriate actions at each time. 

Actions To Be Taken on Packets An important action for security purposes is that of 

Actions are taken on each data packet by the screening 5 sending packets aside to the proxy network 430, which 

system 340, based upon the fore-going criteria and the includes servers/hosts as discussed above that execute 

particular security protocol and level for that packet as operations upon the packets as if the proxy hosts were the 

determined in advance by the system administrator. For actual, intended destination servers. Upon execution of such 

instance, it may be decided that no packets from (or to) any operations, a proxy host may then return a given packet to 

source that is not cleared in advance will be allowed in; in io the sender, i.e. send the packet off with the original sender's 

this case, packets from (or to) any other source will be address as the destination. That packet will then go through 

dropped by the screen 340 without further action, either with the screen 340, which will subject it to the predetermined 

or without an error message or other communication back to inspection criteria, just as when it was first received at the 

the sender; the sender will have no indication of what has screen from, for instance, public network 350. The criteria 

happened to the packet, and there will be no "bounce" 15 will typically have different results for packets emanating 

message. from the proxy network 430 or the private network 330; for 

This helps prevent attacks on the system. For instance, if instance, it may be decided that no hosts outside the public 

a trace_route packet is received, instead of following the network may institute telnet sessions to the private network, 

normal IP procedure of responding to the packet the screen but that hosts inside the private network may institute telnet 

of the invention simply discards it, and the initiator of the 20 sessions to hosts outside the private network. 

trace__route command cannot in this way detect the screen. The fact that the screening system has no network address 

Topology hiding, i.e. changing the network address of the (IP or otherwise) enables it to carry out its security functions 

packet as it passes through the screen, can be done so that anonymously; notably, it does not act as a conventional 

it appears that all the packets issuing from the screen come network bridge. If the screen 340 provided the functions of 

from the same host, even though they are coming from a 25 a bridge, it would have to respond to IP commands, and 

multiplicity of sources. This inhibits outsiders attempting to hence would be detectable and targetable. 

leverage off the knowledge they may gain by leaning The proxy network has the additional advantage of pre - 

userid's, host names, etc. within the private network. venting outsiders from ever actually entering the private 

Another action can, of course, be to simply pass the network 330; once a user has been allowed access or a 

packet through to its destination, with or without some 30 connection to a private network, it is much more difficult to 

alteration based upon predetermined criteria. For instance, it restrict his/her actions than if no access at all is allowed. By 

may be decided in advance that all packets from a given host provided duplicate or mirrored proxy functionality of some 

inside private network 330 will have the userid or host ID of the services of the private network in the proxy network, 

stripped off, and the packet may be passed through with and/or functionality of unique host or other services 

some other IP source address. 35 (hardware ware and/or software) in the proxy network, the 

Encryption and decryption may also automatically be outside user's requests are met while invisibly preventing 

executed on certain data packets, with the criteria defined by him/her from ever actually accessing the private network, 

the system administrator. Along with this it may be desirable In addition, it may be decided that no such sessions may 

to encapsulate a packet and give it a new header with a new be instituted at all from within the proxy network, which 

IP address, as described for instance in applicant's copend- 40 might compromise security of the private network, since 

ing U.S. patent application entitled "System for Signature- packets from the proxy network in general will otherwise 

less Transmission and Reception of Data Packets Between have lower hurdles to overcome to be retransmitted by the 

Computer Networks" by Aziz et al., Ser. No. 08/306,337 screen, since they will be more "trusted" by the system, 

filed Sep. 15, 1994, now U.S. Pat. No. 5,548,646, which is Allowing the proxy network to initiate TCP sessions might 

incorporated herein by reference. 45 allow a intruder from outside the system to effectively 

Packets will normally be logged in the log file storage 640 bypass the firewall security if he/she can figure out how to 

(especially failed attempts or requests), including whatever cause the proxy network to institute a TCP session instead of 

information the system administrator decides is important, having to do so from the public network, 

such as: time of day; source and destination addresses; It may be desirable to allow certain connections to be 

requested operation(s); other actions taken with respect to 50 established from the private network to the public network, 

each packet; number of requests to date from this source; but not vice versa. For instance, TCP sessions (such as telnet 

and so on. or ftp) may be initiated by a user within the private network 

Packets may also be counted, so a running total of the 330 to the public network 350, while blocked from any 

number processed in a certain time period is kept. public network machine to the private network. 

Address rewriting is mentioned above; other contents of 55 In general, all actions taken by the proxy network will 

the packet may also be automatically be rewritten by pre- % pass the packets without identifying the proxy network or 

defined actions, including rewriting or otherwise altering any host in it as a separate IP entity. Thus, the packets will, 

data or messages carried by packets. upon being passed or returned after processing, either appear 

State information about the packets can also be actually to have been processed by the specified destination 

determined, logged if desired, and altered by actions. For 60 host (when in fact the proxy host has handled it), or they will 

instance, TCP/IP (transmission control protocol/internet be processed to remove, alter, or otherwise obscure the 

protocol) status can be affected as desired to establish, destination address (which is the source address for return 

maintain or end a connection. In general, the screen can store packets). In either case, no IP address for the proxy host 

information about what state each packet is in, and take exists, and none is appended to any packets, 

actions dependent upon that state, including maintaining 65 Functional Architecture of the Screening System 

information about which packet was the initial request, FIG. 9 is a functional block diagram corresponding to 

which is the response, and so on; so prior events may have FIG. 8, but showing the functional modules that are used by 
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the screen 340. In the preferred embodiment these modules One embodiment suitable for implementing packet 

are, as indicated above, program instruction modules stored inspection is shown in the flow chart of FIG. 11, though 

in memory 400 and executed by processor 390. many variations are possible. In this exemplary flow chart, 

™_ * | , • mo n • 1 j 1*- * u P on receipt of the packet (box 900), each of the packet 

The modules shown in FIG. 9 include a packet inspector , _ , o • ? . , £ , V, v Qi f,{* . u • i r u 

. , , M * . * . , . s headers us inspected in order (box 910), i.e. the physical link 

600 with a process 602-606 for each of the network inter- (such as , p) . the , p header (fc it rcp J ); the Tcp header (as 

faces 410-425; an engine 610 with rules 620; actions 630 to which port is designated and whether it's an existing or a 

and a log file storage 640; a packet state table 650, which is new connection); and so on. 

a conventional hash table; a cache fragmentation module At box 920 and 940, negative determinations lead to box 

670 (along with a fragmentation bypass as shown); a packet J0 930 for appropriate actions; positive determinations lead to 

fragmentor 660 coupled to each of the network interfaces box 950, where the designated port is determined, and then 

410-425; and a learning bridge table 680. The connections t0 box 960 > where [i * determined whether this particular 

shown in FIG. 9 refer to logical (software) instructions or connection is allowed, taking into account the information 

hardware instructions or both, depending upon the particular the packet inspector has at its disposal, including the 

. . , . , t . header information and also the packet contents, source, 

physical implementation of the invention. :5 dest ination and the other information mentioned above. 

The packet inspector 600 includes the instructions for If the connection is not allowed, it is blocked (box 970), 

inspecting the contents of the incoming packets based upon but otherwise it is allowed, and then the method tests 

the criteria discussed above. That is, each incoming data whether it is an initial connection (box 980) — if so, then at 

packet, wherever it comes from, is subjected to packet box 990 me connection is established, and at box 995 

inspection by the packet inspector 600. 20 information is stored in the state table 650 (see FIG. 9) to 

_ . . , j identify the new connection. If not, then the connection is 

The engine 610 processes incoming packets, and passes checked at box 1010 and aay update illformation (e>g> new 

them to the actions 630 to execute the appropriate operations information about the connection) is stored in table 650. 

on the packets, as discussed above. The actions modules 630 p rom e j tner step 999 or 1020, the method proceeds to box 

are the modules dedicated to performing these operations. 25 1000, i.e. returns to box 810 in FIG. 10. 

The log file storage 640 is used to store information about It will be appreciated as mentioned that FIG. 11 is but one 

the data packets received at the screen 340, as discussed embodiment of myriad possible sequences of tests and 

above. The packet state table 650 is similarly used to store operations that may be carried out in the packet inspection 

information about states of the received packets. P hase - ^ operations executed of FIG. 11 may be carried 

™ £ . , cc . a ■ , . out by the engine 600 based upon the results of the packet 

The fragmentor 660 operates in a conventional manner to 30 ^ * tion (e | at boxcs 920 £ 40 960 and 980) 

fragment packets that are larger than a predefined maximum p rocee ding to box 820 in FIG. 10, the packet is passed to 

transmission unit (MTU). This may occur, for instance, the engine m which executes the appropriate predefined 

where the screen adds information to a packet so as to operations discussed above. Typically, for firewalUscreen 

increase its size past this allowable maximum. A fragmen- 340 this will involve blocking or passing the packets, where 

tation cache 670 is used in conventional fashion to imple- 35 jf tne y are passed they may be turned aside to be operated 

ment fragmentation and reconstruction of packets. Fragmen- upon by a proxy host in the proxy network 430. 

tation packets typically include primarily or only an IP The current packet is thus passed to the actions module 

header information and data (in particular, no port number is 630 for execution of the appropriate actions (box 830), and 

included), and the screen 340 will rebuild the packets as at box 840 the engine determines whether there are addi- 

necessary, using the fragmentation cache. That is, the first 40 tional actions to be taken, based upon the packet inspector 

fragmented packet is stored in the fragmentation cache, as results and its own determination of which actions were 

are subsequent fragments, until the last fragmented packet is appropriate to take. On the first pass through for a given 

received, and the packet is then reconstructed. packet, there will be at least one action to take (even if it is 

« r . . . 1 1 .I , . only one action, e.g. to drop the packet without further 

The fragmentation bypass 675 is used by the packet ,/ * a ' ? 4 « «. oa* n 1 j . L 

f . #u • *• e c * j ^ action); so the first time through, box 840 will lead to box 

inspector to bypass the engine operation for fragmented 45 ^ ^ ^ fe &^ 

packets for which information is found in the fragmentation ^ c method ^ dg back tQ box 83Q and ^ b 

cache 670. Thus, when fragmented packets that second or fe completed until ^ actions determ ined by the engine have 

later in the series of fragmented packete are received, this is been taken b ^ actioQS modulc M ^ ^ box g40 

detected when the packet inspector 600 checks the fragmen- ^ {Q box g60) where ^ screen 340 determines whether 

tation cache 670. In such a case, the newly received frag- 50 ^ fa ^ ^ q£ ^ ^ 

mentation packet is sent via bypass 675 to the actions 630, ^rfaxs). If so, the method begins anew at box 800, and if 

rather than via the engine 610. ^ then ^ method ends at box 8?0 {{ may recommence 

The learning bridge table 680 allows the screen 340 to act time a new packet is received, 

as a conventional learning bridge, i.e. to keep track of which What is claimed is: 

hosts are on which side of the screen, and maintain tables of 55 1 a screening system connected to a first computer 

this information as packets arrive from one host or another network and a second computer network, said screening 

at each of the screen's ports (network interfaces). system for screening data packets transmitted between the 

Operation of the Screening System first and second networks without revealing an IP address, 

FIGS. 10-11 are flow charts showing a preferred embodi- 60 including: 

ment of the method of the invention. When a packet is sent a processor; 

by a host on, for instance, public network 350, it is received a memory coupled to the processor; 

at port (interface) 425 of the screen 340. See box 800 in FIG. interface circuits for transmitting and receiving data pack- 

10. The packet inspector inspects the contents of the packet cts to and from said first and second networks; and 

as described above (box 810). 65 program instructions stored in said memory for control- 

If the packet is to be rejected, it is efficient to do this by ling flow of data packets between the first and second 

using the learning bridge table (of source addresses) 680. networks, including: 
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a first program module for determining whether a first 
data packet transmitted from the first network to the 
second network meets predetermined criteria; 

a second program module for passing the first data 
packet to the second network if the predetermined 
criteria are met; 

a third program module for preventing passage of the 
first data packet to the second network, if the pre- 
determined criteria are not met. 

2. The system of claim 1, where the third program module 
prevents passage of the first data packet without sending a 
response to the first network. 

3. A proxy system coupled to a screening system con- 
nected between a first computer network aDd a second 
computer network for screening data packets sent from said 
first network to said second network without revealing an IP 
address, at least one said data packet including a first field 
specifying an intended recipient system for the data packet 
and further including a second field specifying a requested 
operation for said intended recipient system to execute, the 
proxy system including: 
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a processor; 

a memory connected to said processor configured for 
storing instruction modules specifying operations to be 
executed by said processor; 

a plurality of action modules stored in said memory 
including instructions specifying a predetermined set of 
actions to be taken with respect to at least a first said 
data packet received at said screening system, based 
upon predetermined criteria with respect to contents of 
said first data packet; 

a screening module including instructions for the screen- 
ing system to block passage of said first data packet to 
said second computer network; and 

an operation module controlling said plurality of action 
modules to select one of said actions to be taken by said 
proxy system processor in lieu of said requested opera- 
tion. 
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